Academic Freedom vs. Network MonitoringBy Larry Dignan | Posted 2004-09-01 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
As a new school year starts, university I.T. administrators must learn how to counter threats to their networks from increasingly computer-savvy students.
Potential problems are found with network monitoring software that tries to sleuth out the answers to the following questions: Does this IP address have access to a human-resources database? Why is this student downloading 10 movies? Does this student have the right to this content? The answers to these questions aren't necessarily easy to find when monitoring contents of e-mails and messages is a no-no because of academic freedom. Corporations can take much greater liberties in watching employees.
It's a delicate balance, Temares says. The strategy is to learn as much as possible from students and implement technology such as messaging and bandwidth partitioning accordingly while not compromising security. One caveat: Executives say student networks need to be kept separate-even quarantined in some cases-if they are plagued with viruses. For instance, student residential networks are able to connect to an academic research database at various points, but the connection can be terminated quickly by administrators.
And aside from firewalls, network monitoring and antivirus software, a clearly enforced computing security policy that carries penalties of expulsion for hackers can head off problems better than any technology, according to Temares.
The University of Miami clearly states that hacking is grounds for expulsion, he says. Other schools treat student Internet security breaches, such as probing unauthorized servers and publishing copyrighted materials, as they would other campus offenses-say, drinking and noise violations-and send the issue to Student Affairs for hearings. If there's a serious breach such as identity theft, cases are handled by law enforcement agencies.
Kahkedjian learned the hard way last year. On a five-point rating system where the worst is a 1, Eastern Connecticut State had a level-2 outage last year, meaning it "posed a threat to the integrity or operation of critical university systems." Students used to just plug and play on the residential network. When students plugged in at the beginning of last year, they brought a host of viruses such as SoBig with them. Kahkedjian says there wasn't one major virus that hurt the network, just an onslaught of many. As a result, the network collapsed, with some dormitories going as long as two weeks without access.
Luckily, Eastern Connecticut State keeps residential networks separate from its academic and administrative systems. Students can gain access when needed through virtual private networks, but executives like Kahkedjian can cut them off.
This year, the school will require all students on the residential network to authenticate their identity with passwords, and will ensure that all computers are up to date with the latest antivirus software and patches. For instance, if a student's Windows XP desktop doesn't have the latest security patches, he won't gain access to the network until the patches are put in.
"It's forced awareness," says Kahkedjian. "When it comes to security, faculty and students get the same message. A lot of students don't realize how vulnerable they are."
By monitoring networks, universities are hoping to head off security issues before they arise. Northeastern University, which counts Napster founder Shawn Fanning among its former students, has another technique. When a student is on the network doing something that may raise red flags-downloading 10 movies, for instance-his connection is cut off, says Bob Weir, vice president of information services at Northeastern. Excessive traffic from viruses also prompts Northeastern to terminate the connection.
Once the connection is cut, the student is invited to a class outlining the university's appropriate use policies. Weir's group can also examine the student's machine to debug it, if necessary. Service is restored in 24 hours, Weir says, adding that he's only seen one or two repeat offenders in the last three years.
The University of Miami also has safeguards to keep unauthorized users away from its core systems. To access one of the school's academic or administrative networks, a student needs a user name and password to access an application, has to be at a location connected to the network unless there are VPN privileges, must pass through a firewall with intrusion detection, and is registered into a database that logs who accessed the software. During a session, all IP addresses and activities are logged for auditing.
Technology executives, however, say you can't completely segregate students. A more viable strategy, according to Temares, is to include students in technology decisions, get their input, and watch how they use messaging, personal digital assistants and the like. When bandwidth usage got out of hand, Temares went to student government groups for help. The choices: self-regulation, or more tuition hikes to pay for bandwidth. Now students largely regulate their file transfers in keeping with network constraints.
When Cleveland State built its wireless network, Droney consulted student groups. One suggestion: Students didn't want to carry laptops everywhere. As a result, Droney set up laptop checkout counters near classes where students could use laptops for four hours at a clip.
Stanford University is also looking to students to get ahead. Chris Handley, Stanford's chief information officer, says the school has put students on faculty advisory committees. Handley is also looking to create a separate student advisory group focused on "what computing should look like."
Temares has an army of 120 work-study students in his technology labs where he not only gets labor, but also can observe how they use messaging, collaboration systems and other applications. The main finding is that universities aren't sure how to proceed with implementing these tools. That fact may not have surfaced without observing students in action.
"[Work study] is a teaching tool, but we also learn what we can from the honest ones," Temares says. "We learn from the dishonest ones the hard way."